Vibe Coding Security Checklist: 15 Checks

We maintain this checklist internally and update it based on our scanning data. Every item maps to a vulnerability class we find in 30% or more of AI-generated applications. Print it, pin it, or paste it into your project management tool.

Authentication & Authorization

1. Every server action has an auth check

Search for every 'use server' directive. Each function must verify the session before performing any operation. No exceptions, including "read-only" actions that return user-specific data.

2. Every route handler has an auth check

Same rule for route.ts files. The AI generates these without auth checks about 70% of the time in our data.

3. Multi-tenant queries are scoped to the current organization

If your app has organizations, teams, or workspaces, every database query must include a WHERE clause scoping results to the user's org. A missing scope is an IDOR.

// Every query must be scoped
const projects = await db.project.findMany({
  where: {
    organizationId: session.user.organizationId, // Required
    // ... other filters
  },
});

4. Role checks exist for admin operations

If the AI generated an admin dashboard, verify that admin routes and actions check the user's role. Not just authentication — authorization.

Input Validation & Injection

5. All user input is validated with Zod (or equivalent) on the server

Client-side form validation is not security. Server-side validation with a schema library catches type confusion, oversized payloads, and malformed data.

6. No raw SQL with user input

Search for $queryRawUnsafe, $executeRawUnsafe, sql.raw, and any manual string concatenation in SQL. Replace with parameterized queries or ORM methods.

# Quick check
grep -rn 'queryRawUnsafe\|executeRawUnsafe\|sql\.raw' src/

7. File uploads are validated and stored safely

If the app accepts file uploads, check: file type validation (not just extension — check magic bytes), size limits, storage outside the web root (use S3/R2, not the public/ directory), and no execution permissions.

Secrets & Configuration

8. No secrets in NEXT_PUBLIC_ variables

Review every NEXT_PUBLIC_ variable. API secret keys, database credentials, and signing secrets must never have this prefix.

9. No secrets in the client bundle

Build your app and search the .next/static directory for known secret patterns:

npx next build
grep -rn 'sk_live\|sk_test\|password\|secret\|DATABASE_URL' .next/static/

10. .env file is in .gitignore

Verify .env, .env.local, and .env.production are all gitignored. Check your git history for accidental commits of secrets.

Transport & Headers

11. Security headers are configured

At minimum: Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy. CSP if you can configure it correctly with your framework.

12. CORS is restricted to your domains

If you set CORS headers, they should allow only your specific domains — not * (wildcard). AI frequently generates permissive CORS for development and never tightens it.

Rate Limiting & Abuse Prevention

13. Auth endpoints are rate limited

Login, registration, password reset, and OTP verification endpoints must have rate limiting. 10-20 requests per minute per IP is a reasonable starting point.

14. Expensive operations are rate limited

AI generation, file processing, email sending, and external API calls should all have rate limits. Without them, a single user can run up your infrastructure bill or exhaust your third-party API quotas.

Deployment

15. Run an automated security scan against the deployed app

Everything above catches the known patterns. A scan catches the interactions between them — an auth bypass that chains through a redirect to an IDOR, or a CSRF that exploits a missing header. Source code review and live scanning are complementary, not interchangeable.

This checklist catches approximately 80% of the critical vulnerabilities we find in AI-generated apps. The other 20% are business-logic issues specific to each app. For those, you need either a manual security review or an AI-powered scanner that can reason about your app's specific logic.

Making It Stick

Add this checklist as a GitHub issue template or a PR checklist. Run through it on every feature branch. The cost of checking 15 items is a few minutes. The cost of missing one is a breach notification to your users.

If you want to automate the dynamic checks (items 1-4, 6, 11-13, 15), that's what NeuroStrike's vibe scan does. It tests your running app for these specific patterns and gives you a pass/fail on each.